基于增强嵌入特征超图学习的恶意域名检测方法  

作　　者：魏金侠 龙春[1,2] 付豪 宫良一 赵静 万巍[1,2] 黄潘 Wei Jinxia;Long Chun;Fu Hao;Gong Liangyi;Zhao Jing;Wan Wei;Huang Pan(Computer Network Information Center,Chinese Academy of Sciences,Beijing 100083;School of Computer Science and Technology,University of Chinese Academy of Sciences,Beijing 100049)

机构地区：[1]中国科学院计算机网络信息中心,北京100083 [2]中国科学院大学计算机科学与技术学院,北京100049

出　　处：《计算机研究与发展》2024年第9期2334-2346,共13页Journal of Computer Research and Development

基　　金：中国科学院网络安全和信息化专项(CAS-WX2022GC-04);中国科学院青年创新促进会项目(2022170,2023181);中国科学院战略性先导科技专项(XDC02030600)。

摘　　要：攻击者利用域名灵活地实施各类网络攻击,诸多学者针对性地提出了一些基于统计特征和基于关联关系的恶意域名检测方法,但这2类方法在域名属性高阶关系表示方面存在不足,无法准确呈现域间全局高阶关系.针对这类问题,提出一种基于嵌入式特征超图学习的恶意域名检测方法:首先基于域名空间统计特征利用决策树构建域名超图结构,利用决策树倒数第2层节点的输出结果作为先验条件形成超边,快速将域名流量之间的多阶关联关系清晰地表示出来;其次基于超图结构特征对字符嵌入特征进行增强编码,基于域名空间统计特征和域名字符嵌入编码特征从域名数据中挖掘出字符间隐藏的高阶关系;最后结合中国科技网真实的域名系统(domain name system,DNS)流量,对有效性和可行性进行了分析与评估,能够快速高效地检测隐蔽的恶意域名.Attackers use the domain names to carry out various kinds of network attacks flexibly.Many scholars have put forward some malicious domain name detection methods based on statistical characteristics and association relationship.However,the two methods have shortcomings in the representation of higher-order relationship of domain name attributes,and cannot accurately present the global higher-order relationship between domains.To solve these problems,a malicious domain name detection method based on embedded feature hypergraph learning is proposed.Firstly,the domain name hypergraph structure is constructed by decision tree based on domain name spatial statistical characteristics.The output of the penultimate node of the decision tree is used as a priori condition to form a hyperedge,and the multi-order correlation between domain name traffic is quickly and clearly represented.Secondly,the character embedding features are enhanced based on the hypergraph structure features,and the hidden higher-order relationships between characters are mined from the domain name data based on the statistical characteristics of domain name space and the encoding characteristics of domain name character embedding.Finally,combined with the real domain name system traffic of China Science and Technology Network,the validity and feasibility are analyzed and evaluated,which can quickly and efficiently detect hidden malicious domain names.

关 键 词：恶意域名 超图学习 决策树 嵌入式编码 空间统计特征 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]